Friday, 28 February 2014

The NHS data sharing opponents have implemented a cunning
plan to disarm the supporters of the care.data project. It’s called humour, and
it comes by means of a genuinely funny video that aims to undermine those who (like
me) believe that data sharing within the health sector is a good thing.

How will NHS England respond? Perhaps they’ll come up with
something just as funny. I do hope so. Otherwise, I fear that
the opponents will continue to win hands down on the publicity
front.

NHS England wants to do a great amount of good. But, do enough
people trust it?

Monday, 24 February 2014

How do you maintain a good on-line reputation? What can you
do when others post extremely embarrassing comments (or images) about you? How
can they be removed – or at least made less visible to search engines, to
prevent others from stumbling across the relevant links?

I've recently been advising someone who is very concerned about what has happened to them: "For years there has been an offensive post about me on the internet. It is embarrassing and I have wished for years that it would get removed. However, the website where it was posted has closed down and I have no means of contacting them."

Despite Google's efforts to remove the offending material from its search results, the victim remains concerned that others will find it.

Not even the fabled "right to be forgotten" proposal in the Data Protection Regulation would have been of much help in this instance - as the material was originally posted by an American company that has folded - but who passed their data assets to another US company before closing down.

How can victims be reassured that embarrassing material won't be shadowing them for years to come?

Of course I appreciate the tension between freedom of expression, on the one hand, and censorship, on the other. But I also appreciate the anguish that victims feel when it appears (at least to them) that they are being unfairly hounded.

Perhaps, in time, the shadow from the embarrassing material will slip down search rankings, as more favourable information about an individual is posted.

But the internet (and particularly the Internet Archive) does not forget. Somehow we have to come to terms with this reality. Just as we need to accept that data controllers have rights, too. Particularly in terms of the information assets they have legitimately acquired.

What’s most poignant is that the person I’m advising is just
17 years old. Having had the shadow of this material around their neck for a
few years already, you can imagine how they might feel if they were told that
there was no hope that this material would ever be placed beyond the reach of
internet users.

If you can’t afford the services of reputation management
companies like Iginyte, then who can you turn to?

Friday, 21 February 2014

Well, over the past 9 months there has been a steady
increase in the number of incidents that have been reported to the ICO. Admittedly,
is still a miniscule amount. Were it not for our chums in the health, local Government and education sectors, you might be mistaken for thinking that data
controllers had, mostly, blown an almighty raspberry in Wilmslow’s direction by
ignoring the invitation to report data breaches. When even Britain’s mighty telecommunications
companies, who are compelled to make reports, can only think of seven incidents
to report in the past 9 months, you get a sense of what is actually going on.

Does it matter?

It probably only matters if people misuse the statistics
that are eventually published. It would be awful, for example, if NHS opponents
were to misuse the most recently published ICO statistics to infer that data protection
standards in the health sector were significantly worse than in other sectors. No. To my mind, the statistics simply indicate
that NHS managers have a pretty good idea of what is going on within their own
organisations, and they tend to follow the breach reporting rules more closely
than other sectors.

I do hope that the ICO statistics are not going to be misused
by NHS opponents to undermine public confidence in the integrity of the NHS. Especially
now that a public awareness campaign is being relaunched to commend to patients
the potential benefits of greater sharing some of their medical information. Such
misuse would be completely wrong. Tempting, perhaps, but completely wrong.

When do we get to a stage, though, where the reported statistics
are considered so meaningless that it is not worth carrying out any trend
analysis? Are we seeing most
of this elephant, or are we merely viewing a pimple on the elephant’s bum?

Perhaps what is helpful is not the volume of breach reports
(which contain no information about the number of potential victims affected by each incident), but that
these reports can be used to take a snapshot of the types of incidents that
have occurred. Was the data disclosed in error? Lost in transit? Was there a
technical security failing, or an insecure disposal? Data protection professionals
can then turn the reports into “war stories,” for local consumption.

Accordingly, I think the ICO is right to continue to publish
these statistics, but I would welcome a more thorough “health warning” to
remind the uninitiated that what they are seeing is not the whole picture.

Thursday, 20 February 2014

Well, it’s happened. Commissioner Graham’s tenure
has been extended by two years. He’ll be strapped to the helm of the ICO while
it goes through what can only be described as interesting times. It will be
another Government that decides who ought to replace him in the summer of 2016.

The recent, and impending, departure of other high
profile data protection regulators from the European scene ought make it harder
for the those who see data protection more in terms of a tick exercise to
thrive. Christopher Graham’s continued presence on the Article 29 Working Party
will make it easier for him to spread his more pragmatic vision about how good
data protection standards should be implemented across Europe. Those who might
have wished for him to be removed from the European scene have had their hopes
dashed.

The next few years in Wilmslow (and in Brussels) are
not going to be easy. And, it becomes ever harder to expect that institutions
like the ICO should do “more” with “less”, but that is the current political ask.
We’ve seen the difficulties that the
Environment Agency is experiencing, reconciling savage budget cuts with the
need to address our changing climate. Let’s hope that the ICO won’t face a
similar debacle should a new data crisis emerge for which we are all woefully unprepared.

Anyway, Commissioner Graham will be the star turn at
his Data Protection Practitioner Conference in Manchester on 3 March. I predict
that he’ll enter the stage to coloured lights, tumultuous applause, and as the
dry ice wafts away, the ICO Chorus will chant:

Wednesday, 19 February 2014

So, the recent crisis talks have resulted in an outbreak of
common sense – the information sharing proposals are not to be derailed, but will
instead the implementation date will be delayed for six months. This will give
the “No, Never” brigade time to encourage more people to register as a
conscientious objector, and it will also give NHS England more time to explain
the benefits of the information sharing scheme to those who want to
listen.

What else might happen to encourage the public to sit up and
take notice? Will a character from The Archers suddenly fall ill and face a
difficult recovery in hospital because their GP medical records were lost in
the recent floods? Can any relevant storylines be slipped into Casualty, Holby
City, 24hrs in A&E, Embarrassing Bodies, or any another of the medical
series currently in production?

Whatever.

At least an argument about the correct protocols for sharing
confidential medical information makes a change from the argument about the
perils of communications surveillance. Memo to Edward Snowden: move over –
let’s have Phil Booth and the medConfidential crew hogging the headlines for a bit.

A note for your diary – if you join the Open Rights Group today,
you will have the pleasure of hearing more about Phil’s concerns at a special
session on 17 March. For those who don’t know, Phil is the former National
Coordinator of NO2ID, the pressure group that opposed the introduction of national identity cards, and we all know how successful that campaign was.

A six month delay won’t necessarily be a problem for NHS
England. It ought to result in more time for “facts” to be publicly discussed
and for determined health professionals to ensure that their patients are
better informed about the choice that is available to them.

But, given Phil’s natural flair for publicity, it could be a
high-profile “anti” campaign that NHS England will be forced to respond to.

Will the delay result in significantly greater numbers of
people who visit their GP’s surgery formally registering their objections to the scheme?

Will the delay result in a new range of choices being made
available – say, sharing
to identify patterns in care, and to facilitate genuine medical research;
and sharing / selling to the private sector. That’s not what NHS England want.

My postbag tells me
that there are people who don't object to the
first choice, but who do object to the second, fearing it is highly unlikely to
be used to their benefit. It is feared that insurance companies will match the
data they get with their own records, which might result in
increased premiums and denied cover rather than reduced premiums and
increased cover:

“As
someone who has a history of respiratory issues, but who has been healthy for a
long time, I see a serious risk of the more detailed knowledge of my medical
records being used to disadvantage me in the future.However, I see only benefit in allowing
my details to be used to look at patterns of care and for genuine medical
research.I think more people would be
supportive and there would be less controversy if the permissions structure
reflected the actual stages of sharing that will happen.”

If these fears are groundless, then NHS England needs to
redouble its efforts to get the correct message across.

There is another bright side to this issue. Given the demise
of the European Data Protection Regulation, at least we data protection folk
have something nice and meaty to mull over for the next six months. It
keeps issues about information security in the headlines, and it reminds employers why this
data protection malarkey is so important.

Tuesday, 18 February 2014

I feel quite sorry for the NHS officials who are tasked with
delivering the project to share NHS patient information more efficiently. They
are dedicated professionals, trying to implement what I think is a good idea.

But they are now caught up in a public campaign, which
appears to be growing in terms of media coverage, designed to highlight the
potential drawbacks of the scheme, and to radically change it. Evidently, “crisis talks” are now taking place to determine what to do next.

Have NHS officials done enough to persuade the majority of
the population that there is little to fear from the project? The Privacy Impact Assessment recently published by NHS England asserts that the risks are manageable.
It complements the PIA published last year by the Health & Social Care
Information Centre (HSCIC), which (surprise, surprise) contained the same
message. To be fair, though, the HSCIC’s document focussed less on the
potential risks, and more on the privacy safeguards.

Where does this leave us?

It leaves us in a state where a policy decision now needs to
be made on whether to delay / abandon the implementation of the scheme (which
is penciled in for next month), or whether to carry on regardless. But how
much more publicity is required before it is considered that patients have been
appropriately informed about the scheme and their right not to participate in
it? And who is empowered to say “stop”?

Perhaps some pressure will be placed on the ICO to issue a “go
/ no-go” pronouncement. But we all know that the ICO is very keen not to stifle
innovation, and in any event it is likely to wish NHS England and the HSCIC to receive
any negative publicity that would result from such a decision, rather than allow any criticism to focus on the role of the regulator.

NHS England’s PIA was pretty realistic about how the data
sharing scheme was likely to resonate with the public. It made the point that there
will always be supporters and opponents:

“In summary, people who conclude that the net impact of
care.data on privacy will be positive are very likely to be supportive of the
programme. Even people who feel the impact will be detrimental to privacy may
recognise that the potential benefits of care.data using data from patient
records are great, and may therefore feel they are justified ethically on that
basis. However, some people may believe that any use of patient identifiable
data without explicit patient consent is unacceptable. These people are
unlikely to be supportive of care.data whatever its potential benefits and may
object to the use of personal confidential data for wider healthcare purposes.

The HSCIC will be processing data on behalf of NHS England
and we have detailed the information governance and pledges in relation to
care.data. The HSCIC PIA concludes 'While the HSCIC is new, its functions,
including the safe and secure processing of data are well founded, tried and
tested in previous constituent organisations. The patient, and therefore
protecting patient confidentiality, is at the heart of everything we do'. NHS
England is committed to working in partnership with the HSCIC and shares this
view.”

One lesson I’ve taken from this saga is that PIAs can be
extremely useful tools for people who are keen to take snippets of text and use
them out of context. But how useful a document will they become if they all
have to be cleared by an organisation’s PR team before they can be formally
published?

Another lesson I suspect the Government will take from this
saga is that it should postpone proposals for new data sharing legislation until
after the next General Election, as such an initiative is hardly likely to be a
vote winner.

Friday, 14 February 2014

No, I’m not bitter, but what better day is there to review anyone’s
broken promises than on St Valentine’s Day?

Take, for example, what was said back in 2010, when the
Coalition Agreement boldly announced what it was that the Coalition Government
would aim to achieve over the life of the current Parliament.

I was particularly drawn to the commitment that: “We will end
the storage of internet and email records without good reason.” Well, well,
well. Today, the chance of a new Communications Data Bill being considered
by Parliament before the General Election in 2015 is absolutely zero. Given the fear that that any proposals might be scuppered by politicians determined to do "something" in light of the Snowden revelations, there’s little likelihood of new legislation for the foreseeable future, unless perhaps some European court
throws an almighty fit about how long communications data is currently retained within Europe. And even then, I doubt that a British Government, keen
to display its Eurosceptic credentials, would take any immediate action.

I was also drawn to the Coalition Government’s commitment
that:“We will ban the use of powers in the Regulation of Investigatory Powers
Act (RIPA) by councils, unless they are signed off by a magistrate and required
for stopping serious crime.” This has been done, and to great effect. But has it improved our criminal justice system? Thanks to the state of our criminal justice system, the mechanics of getting
RIPA applications signed off by a magistrate are so cumbersome, expensive and protracted that the volume of RIPA applications from local authorities have plummeted to
historic lows. Those who are celebrating this significant measure are the
dodgy dealers, cowboy builders and other petty criminals who continue to make people’s
lives a misery, but who remain beyond the reach of local authority investigators. Well, well, well.

Tuesday, 11 February 2014

But can it really be the case that the EU-sponsored Safer
Internet Day website has completely failed to implement the EU’s own on-line
privacy laws?

If you can find any info on cookies, you’re eyes are better
than mine.

Does the website really say in the “online issues” section that
digital footprints are a good thing, because it helps prevent crime? To be fair, the website also explains that "every time you publish information online, for everyone to see, a little bit of your privacy will disappear and you will be adding to your online reputation and digital footprint."

Co-incidentally, while Commissioner Viviane Reding was
attending official meetings in Central London today, thieves most unfortunately
stole a suitcase containing her personal effects and jewellery from her
unattended and unlocked official car. Apparently the only case they left was
the case containing her official documents.

Thank goodness they didn’t steal any of her papers. It would
have been deeply ironic if she had to report a personal data breach to the European
Data Protection Supervisor (yes, he who cannot yet be replaced) and face
disciplinary measures for her failure to properly safeguard personal data.

Sunday, 9 February 2014

Gossip is what keeps us going, and we puritans always enjoy
a quick peak into the private lives of others every now and again.

Many of us have had a good chuckle at the recent misfortunes of
those hapless American diplomats who forgot that their telephone calls were
capable of being monitored. The recent
“F*ck the EU” comment, uttered by US diplomat Victoria Nuland (pictured left) during
a phone conversation with the US
Ambassador to Ukraine Geoffrey Pyatt, when discussing a plan for UN Secretary
General Ban Ki-Moon to help sort out the situation in the country, won't be forgotten for some time (if ever).

It would have been nice for those who released the recording
to have included the bit where the US Ambassador scolded Nutland for making such
an uncouth remark. As this part of the conversation was not made public, I can
only assume that the scolding occurred another time.

Perhaps, it was when the world+dog got to hear of her views.
Or when the US President learnt of them. Or, after EU foreign policy chief Catherine Ashton stated that the EU would not comment on a "leaked alleged" conversation. Or, when spokesman Christiane Wirtz stated that the German Chancellor had termed Nuland's remark "absolutely unacceptable."

If I were to bet on the identity of those responsible for the publication of the intercepted material, I would
not just cast my eye at the Russians, who surely must have the technical
capability to intercept diplomatic phone calls. I would also consider the
Germans, perhaps in retaliation for the recent revelations about the ability of
the US Administration to intercept Mrs Merkel’s phone calls. Revenge is a dish best served kälte.

Anyway in my eyes, this is “good surveillance,” as it serves
to keep all diplomats on their toes. They have to assume that whatever they do
is being monitored, and thus they have to behave properly at all times. In this day and age, diplomats should expect
to be held accountable for all their thoughts and actions.

This is a very different case than what I term “bad
surveillance,” which is what the experienced Telegraph journalist
Catherine Gee (pictured right) has recently been getting up to.

Those of us with nothing better to do last night might have
joined me in settling down on the sofa for
the latest episode of “The Voice,” the reality show where a bunch of
wannabies pitch for a career in show
business.

A “discovery” last night was one contestant, for whom news
of any previous show business experience
was withheld from us. We had to wait for Catherine's TV review to learn that the contestant: “had previously reached the bootcamp stage of The X Factor in 2010
and provided backing vocals for JLS.” But what was quite shocking was
Catherine’s next comment: “Some internet housekeeping has also recently taken
place as this information was gleaned from cached versions of deleted internet
pages.”

Is it ethical for a journalist to search through “deleted”
material for a show business story about a nobody?

Unless there is a sufficiently good reason
for this, I say no. There simply wasn’t enough in the story to allege that
we, the public, were being willfully misled either by a TV production team, or by said wannabe, to justify the intrusion into their past life.

What does this tell me?
That a Telegraph journalist is capable of doing the dirty on
wannabe starlets that have barely experienced their first few minutes of
fame. Said wannabe hasn't even been able
to have been booted off the show after the first sing off, or implode under the
pressure of living in the public eye.

The lesson we must learn is that, in the digital world, we
forfeit our right to privacy when we use the internet. We forfeit it for
reasons of national security, and also for the purposes of journalism. We
cannot assume that material no longer available on the internet has been
deleted. We have to assume that, thanks to tools like the Internet Archive, any
material we have previously uploaded is and will always remain available to
those who have the means to access it. Which include spies and journalists.

We have all lost the right to “forget.” Instead we should
campaign to replace it with a new one – the right to “forgive.”

Thursday, 6 February 2014

I had expected to have generated a little more feedback on my recent post about the
weakest EU privacy regulator. I had hoped that more people would have pointed
out that they were being misled. The trick, actually, is not to look too
closely at the range of resources or regulatory tools available to each
regulator when assessing their usefulness (or necessity).

This can be a pretty futile way of assessing the extent to
which data controllers comply with relevant laws.

What really matters is outcomes.

What really matters are the behaviours that are exhibited by
data controllers.

A regulator doesn't need a big stick (or a huge staff) if
the data controllers he is accountable for regulating are behaving decently.

Remember the 1995 movie Babe.

Babe (the pig) won the sheepdog trials not because he
frightened the sheep into compliance, but because he engaged constructively with
them, and in so doing he got them to act in ways that no-one had previously
managed.

The moral of today's blog is straightforward: we don't need regulators with big sticks (or a huge staff) if data controllers set out to
behave decently in the first place.

About Me

I'm Martin Hoskins, and I started this blog to offer somewhat of an irreverent approach to data protection issues. As time has passed, the tone of my posts have become more serious.
I'm not a "high priest" of data protection. I focus on the principles of transparency, fairness, practicality, risk-assessment and pragmatism when dealing with issues, rather than applying every aspect of every data protection rule.
While I may occasionally appear to criticise various organisations with which I am or have been associated, I write here in an entirely personal capacity, so these comments should never be taken to represent anyone else's views on what I write about.
I occasionally tweet as @DataProtector.
You can contact me at:
info@martinhoskins.com.